# Network Architecture

All the machines use the `NAT network` network mode inside of VirtualBox. This allows the malware to be contained in a virtual network such that it does not affect our physical host.

We can learn more about the various networking options inside of VirtualBox from these resources:

* [Virtual Networking](https://www.virtualbox.org/manual/ch06.html)
* [VirtualBox networking - NAT, NAT network, bridged network, internal network, host only network](https://www.youtube.com/watch?v=2Fkf6Kysh7I\&t=461s)

## Topology

The architecture of the lab is as follows:

<figure><img src="https://1088759916-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLNzD73pEJC4U94NEAs4j%2Fuploads%2FamujRvAoc3BQE9XRH4nL%2FArchitecture.drawio.svg?alt=media&#x26;token=e29d8cc4-07bc-44d9-9f76-3103721fbccf" alt=""><figcaption></figcaption></figure>

## Components

| Component                         | Purpose                                                                                                                                                                                                                                              |
| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Wazuh server - SIEM and XDR       | Indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities.                                                                                                                          |
| Wazuh agent - Endpoint detection  | <p>Protects the system by providing threat prevention, detection, and response capabilities. </p><p>Collects different types of system and application data that it forwards to the Wazuh server through an encrypted and authenticated channel.</p> |
| Cortex/MISP - Threat Intelligence | Threat Intelligence platform which allows observables such as IP and email addresses, URLs, domain names, files or hashes can be analyzed using a Web interface.                                                                                     |
| Shuffle - SOAR platform           | No-code automation platform (SOAR) that lets users automate processes.                                                                                                                                                                               |
| TheHive - Case Management         | Allows SOC analysts to Collaborate, Elaborate and Act on investigations.                                                                                                                                                                             |